Trojan Horse virus

[blackberry]

I have a Trojan horse 19 virus. Any help to remove it would be very much appreciated. I had one of these last year and managed to remove it as a result of assistance on this website. I have unfortunately lost the instructions. I assume I need to do a Hijack scan but don't remember how to do that either. My apologies.

Regards,
Adrienne

 

[blackberry]

I just read how to do a Hijack scan and so below is my logfile. Any help appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:40:19 a.m., on 18/05/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Fmctrl.EXE
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\WINDOWS\System32\ctfmon.exe
E:\Accessories\WinZip\WZQKPICK.EXE
E:\SpySubtract\SpySub.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\ACCESS~1\WINZIP\winzip32.exe
C:\Documents and Settings\Adrienne\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - (no file)
O2 - BHO: (no name) - {6CFB9E4B-0183-4A14-8D0F-FC967338AACA} - C:\WINDOWS\System32\lcjc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [fwservice] C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe -startup
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = E:\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Accessories\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpySubtract.lnk = E:\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095232863776
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E0C46A-515D-4DAD-AC11-BD302C9A04B9}: NameServer = 202.180.64.2 202.180.64.9
O18 - Filter: text/html - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll
O18 - Filter: text/plain - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FWService - Unknown owner - C:\Program Files\Acceleration Software\StopSignProducts\Firewall\fwservice.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

[Osiris]

Here is your log, please read thru them first and delete at your own risk.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Adrienne\LOCALS~1\Temp\se.dll/spage.html This entry should be fixed by HijackThis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about :blank This page could possibly be nasty.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank This page could possibly be nasty.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank This page could possibly be nasty.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank This entry should be fixed by HijackThis!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about :blank This entry should be fixed by HijackThis!

O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - (no file) Entries found in this registry zone are potentially nasty. This application ([2E65A557-173C-4DE9-860B-28FC5CACA542] - Result: 2E65A557-173C-4DE9-860B-28FC5CACA542) has been checked

O2 - BHO: (no name) - {6CFB9E4B-0183-4A14-8D0F-FC967338AACA} - C:\WINDOWS\System32\lcjc.dll Entries found in this registry zone are potentially nasty. This application ([6CFB9E4B-0183-4A14-8D0F-FC967338AACA] - Result: ) has been checked

O17 - HKLM\System\CCS\Services\Tcpip\..\{E5E0C46A-515D-4DAD-AC11-BD302C9A04B9}: NameServer = 202.180.64.2 202.180.64.9 If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too.

O18 - Filter: text/html - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.

O18 - Filter: text/plain - {32BD5701-8B75-4628-AD31-DFD0D2EED5EF} - C:\WINDOWS\System32\lcjc.dll Only a few Hijackers are listed here. The most popular are 'cn' (CommonName) , 'ayb' (Lop.com) and 'relatedlinks' (Huntbar) . They should be fixed.

 

[blackberry]

Hi Warez,

Thank you for your suggestions. I am not able to delete the second file and that is where the trojan is - from what I can see. I don't know how to fix the other things that you mention 'should be fixed'. Do you have any further information.

Regards,
Adrienne

 

[Osiris]

Did you run any antivirus that is updated with the current virus file definitions? What about spybot search and destroy and adaware se personal?

 

[blackberry]

Yes, I run AVG, and the other programs you suggest. AVG picks the virus up but can't remove it.

Regards, Adrienne

 

[SHAWN]

See sig for free online scan. Its a Trend site. Try that

 

[Osiris]

Do you know the name of the trojan?